Candidate: CVE-2018-1999024
PublicDate: 2018-07-23 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999024
 https://blog.bentkowski.info/2018/06/xss-in-google-colaboratory-csp-bypass.html
 https://github.com/mathjax/MathJax/commit/a55da396c18cafb767a26aa9ad96f6f4199852f1
Description:
 MathJax version prior to version 2.7.4 contains a Cross Site Scripting
 (XSS) vulnerability in the \unicode{} macro that can result in Potentially
 untrusted Javascript running within a web browser. This attack appear to be
 exploitable via The victim must view a page where untrusted content is
 processed using Mathjax. This vulnerability appears to have been fixed in
 2.7.4 and later.
Ubuntu-Description:
Notes:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N [5.4 MEDIUM]


Patches_mathjax:
upstream_mathjax: released (2.7.4+dfsg-1)
precise/esm_mathjax: DNE
trusty_mathjax: ignored (out of standard support)
trusty/esm_mathjax: needed
xenial_mathjax: ignored (end of standard support, was needed)
bionic_mathjax: needed
cosmic_mathjax: not-affected (2.7.4+dfsg-1)
disco_mathjax: not-affected (2.7.4+dfsg-1)
eoan_mathjax: not-affected (2.7.4+dfsg-1)
focal_mathjax: not-affected (2.7.4+dfsg-1)
groovy_mathjax: not-affected (2.7.4+dfsg-1)
hirsute_mathjax: not-affected (2.7.4+dfsg-1)
impish_mathjax: not-affected (2.7.4+dfsg-1)
jammy_mathjax: not-affected (2.7.4+dfsg-1)
devel_mathjax: not-affected (2.7.4+dfsg-1)